Privacy Policy

Paloma operates in two capacities depending on the context.

As a data controller: We collect and manage personal data directly from you, such as when you visit our website, fill out a contact form, or book a call. We decide why and how this data is processed.

As a data processor: When we work with a customer, we access and process operational data (ERP exports, production records, logistics data, spreadsheets) on their behalf and under their instructions. The customer remains the controller of that data. Our processing is governed by the data processing agreement we sign with each customer.

If you are an employee or representative of one of our customers and have questions about how your company's data is handled, contact your employer. They are the controller.

Data you give us directly:

• Name, work email, company name, and job title when you book a call or fill out a form
• Any information you include in messages to us

Data we collect automatically when you visit our website:

• IP address, browser type, operating system, referring URL
• Pages visited, time spent, and interactions on the site
• Cookies and similar tracking technologies (see Section 11)

Customer operational data (as a processor):

• Production data, logistics records, ERP exports, spreadsheets, and other operational data that customers share with us to deliver our services
• This data belongs to our customers. We access it only to perform the work they've hired us to do.

Data we do not collect:

• We do not collect payment information directly. If payments are involved, they are handled by third-party providers.
• We do not knowingly collect personal data from anyone under 18 (see Section 13).

Website and communications data (as controller):

• To respond to your inquiries and schedule calls
• To send you information you've requested
• To improve our website and understand how visitors use it
• To protect the security of our website and services

Customer operational data (as processor):

• To deliver the services described in our agreement with your company
• To build, test, and improve the tools and workflows we create for that specific customer
• To generate insights and reports for that specific customer

We do not use customer operational data for any purpose other than serving that customer.

We process personal data under the following legal bases:

• Contract performance: To deliver services you or your company have engaged us for, or to take steps before entering into a contract, such as responding to an inquiry.
• Legitimate interest: To operate and improve our website, ensure security, prevent fraud, and conduct business communications. We balance our interests against your rights and freedoms.
• Consent: Where you have given us specific consent, such as opting into non-essential cookies or marketing communications. You can withdraw consent at any time.
• Legal obligation: Where we are required to process data to comply with applicable law.

This is important to us, so we want to be direct about it.

We do not use customer data to train general-purpose AI models. Customer operational data is used only to build and improve tools for that specific customer. It is not shared across customers, used to train models that serve other clients, or fed into any public or shared machine learning system.

Third-party AI providers. Some of our services use third-party AI infrastructure to process customer data, for example, large language model providers. When customer data passes through these providers:

• They are listed as sub-processors and bound by data processing agreements that prohibit them from using your data to train their models
• They operate under zero-retention or minimal-retention terms, meaning your data is not stored by them beyond what is needed to process your request
• They are subject to the same confidentiality and security obligations as any other sub-processor

When we use AI within our services, it operates on your data to serve you. Your data stays yours.

If our AI systems produce outputs or recommendations, your team always has the final say. We build tools that support human decisions, not replace them.

We do not sell personal data. We share data only in these circumstances:

Service providers: We use third-party tools for hosting, analytics, communication, and infrastructure. These providers process data on our behalf, under agreements that require them to protect it. A list of our current sub-processors is available on request.

Legal requirements: We may disclose data if required by law, regulation, legal process, or government request.

Business transfers: If Paloma is involved in a merger, acquisition, or sale of assets, your data may be transferred as part of that transaction. We will notify you of any change in how your data is handled.

With your consent: We may share data in other circumstances if you have given us explicit permission.

Paloma is based in the United States and works with customers internationally, including in Turkey and the European Union. This means personal data may be transferred across borders.

For transfers from the EU/EEA: We rely on Standard Contractual Clauses (SCCs) approved by the European Commission, supplemented by appropriate technical safeguards such as encryption in transit and at rest.

For transfers involving Turkey:We comply with the requirements of Turkey's Personal Data Protection Law (KVKK, Law No. 6698), including obtaining necessary approvals and ensuring adequate protection for cross-border transfers.

We evaluate the data protection laws of each destination country and apply additional safeguards where needed.

Website and communications data: We retain your contact information and inquiry details for as long as we have an ongoing relationship or legitimate business reason to keep them. If you ask us to delete your data, we will do so promptly unless we have a legal obligation to retain it.

Customer operational data: We retain customer data for the duration of our engagement. After a contract ends, we delete or return all customer data within 60 days, unless the customer instructs us otherwise or we are legally required to retain it.

Depending on where you are located, you may have the following rights:

• Access: Request a copy of the personal data we hold about you.
• Correction: Ask us to correct inaccurate or incomplete data.
• Deletion: Ask us to delete your personal data, subject to legal retention requirements.
• Portability: Request your data in a structured, machine-readable format.
• Objection: Object to processing based on legitimate interest.
• Restriction: Ask us to limit how we process your data in certain circumstances.
• Withdraw consent: Where processing is based on consent, withdraw it at any time.

For EU/EEA residents: You have rights under the General Data Protection Regulation (GDPR). You may also file a complaint with your local data protection authority.

For Turkish residents: You have rights under KVKK (Law No. 6698), including the right to request information about your data, correction, deletion, and to object to automated processing. You may file a complaint with the Personal Data Protection Authority (KVKK Kurumu).

To exercise any of these rights, contact us at legal@getpaloma.ai. We will respond within 30 days.

We take reasonable technical and organizational measures to protect personal data, including:

• Encryption of data in transit and at rest
• Access controls and least-privilege permissions
• Access to customer systems is scoped per engagement. The level of access, read-only, read-write, or integration, is documented and agreed in writing before work begins.
• All team members with access to customer data are bound by confidentiality agreements
• Regular review of access permissions and security practices

No system is perfectly secure. If we become aware of a data breach that affects your personal data, we will notify you and any relevant authorities as required by law.

Our website uses cookies to function properly and to understand how visitors use it.

Essential cookies are necessary for the website to work. They cannot be disabled.

Analytics cookies help us understand traffic patterns and improve the site. These are only placed with your consent.

You can manage your cookie preferences through your browser settings or through the consent controls on our website. Disabling certain cookies may affect site functionality.

Our website may contain links to other websites. We are not responsible for the privacy practices of those sites. We encourage you to read their privacy policies.

Our services are designed for professional use by businesses and their representatives. We do not knowingly collect personal data from anyone under 18. If we learn that we have collected data from a minor, we will delete it promptly.

We may update this privacy policy from time to time. When we make material changes, we will update the "last updated" date at the top of this page and, where required, notify you directly.

If you have questions about this privacy policy or how we handle your data:

Paloma AI, Inc.
2261 Market Street, San Francisco, CA 94114, USA
legal@getpaloma.ai